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strange title for a talk ? 



Keynote talks are not supposed to be technical 



I don't know much outside of technical stuff 



My approach: Sit back and reflect about where 
we're headed. Turn these musings into a talk. 



My views 



Former IRC kid in tine 90's 



Reverse engineering since '97 or so 



Vuln-dev etc. since '99 



Been around for a wliile, seen a few tilings 



"building a new Navy' 



Television Guy: "Isn't hiring 1000 computer 
experts terribly expensive ?" 

Dave Aitel: "On the one hand, yes - but not 
really if you are building a new Navy, which is 
what is happening here." 



Wait, what ? 



What does hiring hackers have in common with 

building a Navy ? 



Wate rway s 



The cheapest way to transport physical goods 

is shipping 

Control of shipping lanes is control of the flow 

of goods - and hence money 



The internet 



The cheapest way to transport bits is the 

internet 

Control of the network means control of 
transport lanes for "digital goods" 



Thesis of this talk 



We witnessed, during our lifetimes, tlie digital 
equivalent of the "La conquista" - but instead of 
a new continent that was discovered, this new 

continent was built. 



As the world's trade flows are becoming 
dependent on computers, we will see the rise of 

"new Navies". 



The Spanish Main 




History: 1500's 



Spain is the dominant superpower 

Discovery of tine new world - but until the 

1520's, it's a backwater 

With the 1520's, silver mining in Mexico starts 

It isn't until the 1570's that other countries catch 

on (more later) 



History (pre-2000) 



Pre-2000-hackers are mostly explorers - not 
law-abiding, but not primarily goal/profit-driven 

Trade volume on the internet is low 

With the first dot-com boom, trade rises 

With trade come opportunities for profit, both 

legal and illegal 



The internet pre-2000 



Nearly complete legal vacuum 



Not important enough to divert resources for 

policing it 



Law of the strongest - but on a very low level 



Situation in 2001 



15 year-old Canadian teens controlled then- 
huge DDoS networks 



Networks presumably controlled by the authors 
of TFN and Stacheldraht at the time: Much 

larger 



Situation in 2001 



"Internet-ending" Oday routinely in the hands of 

a few teenagers 

Significant percentage of the Internet 
compromised by amateurs 



Relatively little of "serious" nature happened: 
Not much money yet, hackers didn't know what 

to do with their warez 



Similarities 



The pre-2000 internet is very similar to early 

1500's Spanish Main 

Frontier area, but hardly anyone has 
recognized the future economic importance 

Lawless zone, but not by structure - by choice 

(e.g. disinterest) 



Boucanier (Buccaneer) 



Non-spanish, illicit settlers on Hispaniola 

Name derives from "boucan", a wooden grill 

used for smoking meat 

Traded in smoked meat initially - until they 
figured out that they can raid Spanish ships 



History: 1600's 



Spain vs France, vs Britain, vs Holland 

France, Britain, and Holland draw on existing 
Boucanier community to ramp up sea power 

Transformation: Small-scale pirates transform 
into large-scale privateering outfits 

At the same time: Ramp-up of regular Navies 



Hackers 



Unintended, illicit settlers on the early internet 

Traded in ways of exploring more of the new 

world 

Some identified ways of profiting off their 
exploration, sometimes criminal, but generally 

small-scale 



2001-2013 



Rapid economic and societal change through 
widespread adoption of the Internet 

Rise of Internet Giants: Amazon, Google, 

Facebook 



Expanded defense spending after 9-1 1 



Rise of privateering 



Governments realize importance of tlie Internet 

Large powers draw on existing Hacker 
community to ramp up network capability 

Hacker community splits up into interesting 

fragments 



Parallel ramp-up of surveillance / monitoring 



Fragments 



Navy: Full-on government employment 



Privateers: Hackers working as private industry, 
but backed by government policies 



Fragments 



Mercenaries to merchants: Hackers working to 
protect tine new trade routes / ports for internet 

giants 

Piracy: Enterprises witliout government or 

commercial backing 



"Letters of Marque" 



Allowed privateers to attack ships of other 

nations independently 



Often "in retribution for losses suffered" 



New York Times, two days ago: 

"As Chinese Leader's Visit Hears, U. S. Is 
Urged to Allow Counterattacks on Hackers" 



Privateers 



Clearly, there's a lobby for allowing privateering 



Government-backed, but private enterprise 



Mixing military and economic objectives 



Francis Drake 



Financed his raids on tlie Spanisli main 
througli tliird-party investors 

Britain could not openly support such raids 
without risking war with then-superpower, 

Spain 

Among the investors was Queen Elizabeth 



Francis Drake 



Ridiculously profitable: First big raid yielded 
50% of the annual British Crown's income from 

one Spanish ship 



Sounds familiar ? 



Will the architects behind industrial espionage 
operations be eventually knighted in their 
respective home countries ? 



Is the supposed Chinese economic espionage 
much different from the policies Britain had 
toward Spain in the late 1500s ? 



Piracy without home port 



Most pirates that refused to align witli a 
government, and that could not rely on a home 
port, were eventually executed 



Piracy without home port 



Wikileaks and TPB may be modern-day 
examples of "pirates" that did not have 

government backing. 



Privateering risl^s 



Henry Morgan led a raid on Porto Bello as 

British privateer 

Plunder from that raid alone: 300m USD in 

today's money 

British made peace with Spain, depriving him of 

his hobby 



Privateering risl^s 



Arrested him in April 1672, sliipped iiim to 

London 

His luck: War with the Dutch broke out, he was 

back in demand & freed 

Many unemployed privateers turned to piracy, 
and were then prosecuted & killed 



other amusing similarities 



The then-superpower Spain used privateers 
sparingly, and mostly relied on regular troops 

The challengers to Spanish hegemony used 

privateers freely 

Compare: "Western" approach to computer 
attacks vs. presumed Russian/Chinese 

approach 



Future: Short-term 



Short-term: The next 10 years 

"There are only two levels of difficulty in 
mathematics: Trivial and not understood" 

(Alan T. Huckleberry) 

"There are only two sorts of source code in IT: 
Trivial and code execution for the attacker" 



Future: Short-term 



Right model to think about security? 

Any opening of any document is equivalent to 
granting the attacker the ability to run arbitrary 

code 

Sandbox things tightly 



Future: Short-term 



Will sandboxing become sufficiently robust in 
the next 1 0 years to obsolete most bugs ? 

Transitive trust is the silent killer 

Compromise all large vendors now an6 steal 

their update signing keys 



Future: History 



Frontal, sea-side assaults on ports became 

impossible eventually 

Attacks on big ports in the Spanish Main 
happened mostly overland 



Why exploit if you can update ? 



The future 



Small trading outposts are abandoned, 
commerce is moved into defendable large ports 

Specialized convois transport goods under 

protection 



"Cloud" 



The future 



Eventually, Navies take over 



Navies perform tight surveillance of sea lanes 
and ensure safety for commerce 



Threats of conventional war & economic 
damage forces governments to rein in 

privateering 



The future 



This can take a long time 

Navy-style surveillance will probably mean full- 
packet capture for the internet 

-20 Exabyte / month - Utah Datacenter: 5 

Zetabyte storage 



The future 



This can be expensive 

Pompey eradicated piracy in the mediterranean 

in Roman times 

Rome dedicated 50% of their entire defense 
budget to this task (albeit only for a few monts) 



The future 



"Pax Britannica", but under the aegis of a 

different superpower ? 



Which one ? 



Any questions ? 



